From KernelSnitch to Practical msg_msg/pipe_buffer Heap KASLR Leaks
Article by Lukas Maar about evaluating the KernelSnitch timing side-channel attack on a variety of systems, including Android.
The attack allows leaking addresses of exploitation-relevant kernel allocations.
Lukas also published the source code for executing the attack.
Article by Lukas Maar about evaluating the KernelSnitch timing side-channel attack on a variety of systems, including Android.
The attack allows leaking addresses of exploitation-relevant kernel allocations.
Lukas also published the source code for executing the attack.
👍6🔥5
Walkthrough of an N-day Android GPU driver vulnerability
Talk by Angus about analyzing CVE-2022-22706 — a logical bug in the Mali GPU driver that allows getting write access to read-only memory.
Talk by Angus about analyzing CVE-2022-22706 — a logical bug in the Mali GPU driver that allows getting write access to read-only memory.
YouTube
Walkthrough of an N-day Android GPU driver vulnerability - Angus, BSides Canberra 2025
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
👍4👏2😱1
Out-of-Cancel: A Vulnerability Class Rooted in Workqueue Cancellation APIs
Hyunwoo Kim published an article describing a complicated exploit of a race condition caused by a misuse of the cancel_work_sync() kernel API in the network subsystem.
Hyunwoo Kim published an article describing a complicated exploit of a race condition caused by a misuse of the cancel_work_sync() kernel API in the network subsystem.
👍3🔥3👏1
Some notes on the security properties of the pipe_buffer kernel object
a13xp0p0v (me) posted an article about a few experiments with the
Alexander described multiple
a13xp0p0v (me) posted an article about a few experiments with the
pipe_buffer kernel object within his kernel-hack-drill project.Alexander described multiple
pipe_buffer features relevant for kernel exploits that rely on this object.Alexander Popov
Some notes on the security properties of the pipe_buffer kernel object
Many exploits of Linux kernel vulnerabilities use the pipe_buffer kernel object to build strong exploit primitives. When I was experimenting with my personal project kernel-hack-drill, I discovered some interesting properties of pipe_buffer, which may not…
👍11🔥7🎉2
Recent Page Cache Corruption Bugs
Multitude of vulnerabilities that allow overwriting the page cache and thus changing the in-memory contents of read-only files to gain LPE or escape a container in certain scenarios.
All stem from kernel code paths that perform in-place overwrites of user-supplied input pages without verifying that the pages are writable.
Copy Fail (CVE-2026-31431):
— Announcement;
— Better write-up.
Dirty Frag (CVE-2026-43284 and CVE-2026-43500):
— Covers two independent vulnerabilities that do not require chaining;
— CVE-2026-43284 is alternatively titled Copy Fail 2;
— Original write-up;
— Avoiding bruteforcing for CVE-2026-43500.
Fragnesia (CVE-2026-46300):
— Original report;
— Variant.
DirtyCBC / DirtyDecrypt (CVE-2026-31635?):
— Write-up;
— Another exploit.
Multitude of vulnerabilities that allow overwriting the page cache and thus changing the in-memory contents of read-only files to gain LPE or escape a container in certain scenarios.
All stem from kernel code paths that perform in-place overwrites of user-supplied input pages without verifying that the pages are writable.
Copy Fail (CVE-2026-31431):
— Announcement;
— Better write-up.
Dirty Frag (CVE-2026-43284 and CVE-2026-43500):
— Covers two independent vulnerabilities that do not require chaining;
— CVE-2026-43284 is alternatively titled Copy Fail 2;
— Original write-up;
— Avoiding bruteforcing for CVE-2026-43500.
Fragnesia (CVE-2026-46300):
— Original report;
— Variant.
DirtyCBC / DirtyDecrypt (CVE-2026-31635?):
— Write-up;
— Another exploit.
🔥10👏6
Discovery & Validation in the Linux Kernel
Three-part article by Samuel Page about analyzing two vulnerabilities (in CAN sockets and FUSE) and attempting to use local LLMs to rediscover the bugs.
Three-part article by Samuel Page about analyzing two vulnerabilities (in CAN sockets and FUSE) and attempting to use local LLMs to rediscover the bugs.
🔥9
Privilege Escalation via a Page Use-After-Free in Qualcomm's AI Accelerator Linux Kernel Driver
Article by Lukas Maar about exploiting a bug in the mmap handler of the QAIC driver that causes a page UAF.
Article by Lukas Maar about exploiting a bug in the mmap handler of the QAIC driver that causes a page UAF.
👍7🔥4🤯1
StepStone: LLM-Based GPU Kernel Driver Fuzzing via User-Space Libraries
Paper by Xiaochen Zou et. al about using LLMs for generating syzkaller descriptions for fuzzing GPU drivers via their userspace libraries APIs.
Paper by Xiaochen Zou et. al about using LLMs for generating syzkaller descriptions for fuzzing GPU drivers via their userspace libraries APIs.
🔥12
Logic bug in the Linux kernel's __ptrace_may_access() function (CVE-2026-46333)
Article about a logical bug in the ptrace implementation that allows getting access to file descriptors of other processes and thus escalating privileges in certain scenarios.
Article about a logical bug in the ptrace implementation that allows getting access to file descriptors of other processes and thus escalating privileges in certain scenarios.
🔥12🤯4